Solved

SBS 2011 - Exchange 2010 - Delayed incoming email

Posted on 2013-12-11
14
718 Views
Last Modified: 2014-02-11
Hey Guys

I've got a strange thing happening with some incoming emails from certain domains.
A user will send an email out at say 9.08am.
The email is received by the recipient within a minute or so.
The recipient emails back their reply 20min later say 9.27am.
But the doesn't receive the reply until 5.04pm that day.
This is happening in OWA as well as Outlook.

I have checked the connection logs for that time and I can't see any errors.

One thing I noticed in the receive logs is quite a few errors about "4.3.2 Service not available". Though those errors don't really occur at the same time as I'd expect the reply to come in.

Here is a screenshot of the log for one of the days that the issue occurred (however I think that looks like an issue with their printer):
receive connector log
Are there any other logs you would suggest looking at?
Do you think it's more likely the recipients exchange server?

Kind Regards
Aaron
0
Comment
Question by:moncomp
  • 9
  • 4
14 Comments
 
LVL 6

Expert Comment

by:donnk
ID: 39713331
show the full email header for the one where you say the email hits your server at 9:27 but the server doesnt deliver it until 5:04
0
 

Author Comment

by:moncomp
ID: 39713370
Here is the email header info:

Received: from webhosting.x.x.x (x.x.x.x) by myexchangeserver.com
 (192.168.45.10) with Microsoft SMTP Server (TLS) id 14.1.438.0; Mon, 9 Dec
 2013 17:04:06 +0800
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=sendingserver.com;
      h=Received:From:To:References:In-Reply-To:Subject:Date:Message-ID:MIME-Version:Content-Type:X-Mailer:Thread-Index:Content-Language:X-Source:X-Source-Args:X-Source-Dir;
      b=DHkmUqJqbh+bvV3zJkrw+uxqBYIeK3o9QaKRk1DbjDw9GpO75eWJvjUyNFJioQtsCGGfQqYJswecU4AVmx3SCzl2IXg+CHQ2SXyTyP/ciJ7Eeb53/HQQh/6t2qZ7Eqeo;
Received: from [x.x.x.x] (helo=userPC)      by webhosting.x.x.x with esmtpa
 (Exim 4.69)      (envelope-from <sender@sendersdomain.com>)      id
 1VpqYQ-0004Pd-Qn      for user@myexchangeserver.com; Mon, 09 Dec 2013 09:26:38
 +0700
From: Sender <sender@sendersdomaincom>
To: 'User' <user@myexchangeservercom>
References: <46B795CAF3E4BA49BF741C6B56B43391DFD01F@SERVER.local>
In-Reply-To: <46B795CAF3E4BA49BF741C6B56B43391DFD01F@SERVER.local>
Subject: RE: SENDERS SUBJECT
Date: Mon, 9 Dec 2013 09:26:38 +0700
Message-ID: <000901cef486$16f47e80$44dd7b80$@sendersdomain.com>
MIME-Version: 1.0
Content-Type: multipart/related;
      boundary="----=_NextPart_000_000A_01CEF4C0.C355C780"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFi1XZufTGydSp2DdoKCVd2eZByYZsjYMZg
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - webhosting.x.x.x
X-AntiAbuse: Original Domain - myexchangeserver.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - sendersdomain.com
X-Source:
X-Source-Args:
X-Source-Dir:
Return-Path: sender@sendersdomain.com
X-MS-Exchange-Organization-AuthSource: SERVER.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-EsetId: 56DCDF3D23A3BB2505918E
0
 
LVL 6

Expert Comment

by:donnk
ID: 39713384
ok so this his your mail server at  Mon, 09 Dec 2013 09:26:38, now show the tracking log from exchange toolbox for this email.

Also I see the header is being interfered with:

X-AntiAbuse      This header was added to track abuse, please include it with any abuse report

What is doing this ? Is your exchange box the MX record server or are you pulling email from another server ?
0
 

Author Comment

by:moncomp
ID: 39713389
is this what you are after?
tracking log
0
 
LVL 6

Expert Comment

by:donnk
ID: 39713395
X-AntiAbuse  this looks to be the  issue. Where is it being applied ?
0
 

Author Comment

by:moncomp
ID: 39713405
Good question. That I'm not sure of. How do I track that down? Is that definitely going to be my end, not the recipients end?

Anti-Spam is disabled on the SBS 2011 Exchange server.
Could that be applied by the firewall?
0
 

Author Comment

by:moncomp
ID: 39713407
The server is set as the MX server, it's not using POP3 connector if that's what you meant.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 6

Expert Comment

by:donnk
ID: 39713416
normally cpanel boxes add it, are these delayed mails always from the same people ?
0
 

Author Comment

by:moncomp
ID: 39713432
I think the user has only complained about two domains only.

I went back over the email history for the sender linked to the above logs.
There only seems to be X-AntiAbuse information attached to email when the email has is being replied to by the sender.

Here is the host that's doing it by the looks from the logs: X-AntiAbuse: Primary Hostname - webhosting.u.net.id

I think that's the senders domain. Maybe their email is housed in cpanel?
0
 
LVL 18

Expert Comment

by:Andrew Davis
ID: 39713435
okay the delay is from webhosting.x.x.x to you. I am going to assume that webhosting.x.x.x is the ISP or smart host being used by the sender, and it is getting bogged down with sending the mail.

to read headers a great tool is http://mxtoolbox.com/EmailHeaders.aspx

Simply paste the headers and it will give you a report that makes more sense.

Cheers
Andrew
0
 

Author Comment

by:moncomp
ID: 39713439
I'll send a query about this this to the IT admin department that manages the host and see what they think.

Many thanks for your help Andrew :)
0
 

Author Comment

by:moncomp
ID: 39713441
hey one thing I notice when I run the read header tool is the total delay is really long.
Total Delay:       23848 seconds
The delay is only showing on my exchange server side.

Do you think I should be concerned about that at all?
0
 

Accepted Solution

by:
moncomp earned 0 total points
ID: 39841061
Hey donnk

Found the issue with Fortigate support.
We updated the firmware to the latest version as their version was quite old.
But then we found someone had configured bandwidth management on all SMTP traffic. We removed and issue has not returned! :)
0
 

Author Closing Comment

by:moncomp
ID: 39849699
found a firewall configuration issue that resolved the problem.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Utilizing an array to gracefully append to a list of EmailAddresses
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video discusses moving either the default database or any database to a new volume.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now